Sharing the Expectation of Privacy
When reviewing this week’s material, one phrase jumped out at me: “…where privacy expectations intersect with digital learning innovation.”
What does it mean to expect privacy as an individual, or an organization, as a government? Who is demanding what protections, and under which circumstances will they give up their information in exchange for what benefits?
That’s a lot of variables for one short post, but we can break down a couple of them.
The Individual
In a sense, the battle for individual privacy has been lost… And people know it. The more a person participates in the core elements modern society (education, employment, finding housing, purchasing essential goods), the more they give up their privacy.
This is particularly true of learners: from university degrees to casual workshops, education is increasingly-integrated with communication technology. Learning means logging in, and logging in means giving up your personal details and (in the case of algorithm-driven social media) your patterns of behavior.
The only thing standing between online platforms and your data are their own Terms of Service and Privacy Policies… And even if learners had a real choice regarding which ones to agree to, they’re not exactly light reading.
Given that the battle is lost on the individual level, where can we turn next?
The Organization
The bad news is that there are no decent internal incentives for a private business to protect the privacy of its customers and employees (beyond bad publicity, which can be avoided with secrecy and the end-user-apathy discussed above).
There are two pieces of good news, however. The first is that external incentives can be imposed (see below). The second is that non-profit organizations can and do take steps to protect users’ privacy, changing the narrative for the better…. Though have certainly been some bumps in the road.
The Government
This is where the rubber hits the road. Protecting that which it isn’t profitable to protect is what the government is for, and lately I’ve been encouraged by how much Canada is accomplishing.
For the private sector there’s PIPEDA, which protects the rights of end users: it goes a long way towards improving transparency and investigating breaches (though those numbers aren’t going down, likely as a result of our increasingly-interconnected society: more data means more breaches).
In BC, we also have PIPA and its education-specific counterpart FIPA. I can tell you from personal experience that these acts have teeth: operations at UVic and beyond are being held accountable to them every time someone wants to purchase software or make decisions about collecting and storing data.
A fun fact from my own career: when I worked at UVic’s Technology Solutions Centre, I was the first point of contact for staff and faculty looking to purchase both hardware and software. In that position, I saw how FIPPA compliance is prioritized on a day-to-day level. As a result, I can assure you that protecting student data is not only balanced against the university’s other needs (such as logistical convenience), but that it fully overrules those needs…
…And as anyone who has used Duo MFA will agree, protecting privacy is an ongoing and sometimes inconvenient battle–Especially during that app’s rollout, which certainly made my job at the Computer Help Desk very busy for a while.
Of course, login protection systems like Duo are both a privacy safeguard and a privacy risk… But that sort of cost/benefit analysis will have to wait until another blog post, hopefully by somebody with more cybersecurity experience than me.
Wow I cannot believe the length of time for those privacy agreements- I always knew it was long but close to 40 minutes of reading! Maybe we can all rally to turn that into a mandatory video series instead… But in all seriousness, I do find it somewhat reassuring to know that the government of Canada is actually taking steps to shelter and protect our personal information even if them having so much access in the first place feels like it’s own breach of privacy. I think it’s wonderful there are organizations at work trying to protect data harvesters but is it really something we ‘should’ be needing to support as a non-profit? There’s no doubt it’s an important goal and I’d love to know there’s less breaches of privacy especially on the corporate level which is likely just using this information to increase their monetary gains I just cannot believe that is the state of the world.
I really appreciate how you explored privacy from the individual, organizational, and government perspectives. and I can also say that I have never read the terms for the privacy agreements on anything because they are always so so long. and I know social media platforms do this on purpose as well as no one reads the fine print. it makes me wonder. Given how few people actually read Terms and Conditions, what do you think are some realistic ways that organizations or governments could make consent more meaningful for users, especially students?